Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551752 (CVE-2015-3209) - <app-emulation/qemu-2.3.0-r2: pcnet: multi-tmd buffer overflow in the tx path (CVE-2015-3209)
Summary: <app-emulation/qemu-2.3.0-r2: pcnet: multi-tmd buffer overflow in the tx path...
Alias: CVE-2015-3209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2015-06-11 10:10 UTC by Agostino Sarubbo
Modified: 2015-10-31 15:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-11 10:10:38 UTC
From ${URL} :

A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packet with length above 4096 bytes. 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU 
for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption.

A privileged guest user in a guest with AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-07-06 04:13:08 UTC
CVE-2015-3209 (
  Heap-based buffer overflow in the PCNET controller in QEMU allows remote
  attackers to execute arbitrary code by sending a packet with
  TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS
Comment 3 SpanKY gentoo-dev 2015-07-06 11:44:11 UTC
fine stabilize the new version
Comment 4 Agostino Sarubbo gentoo-dev 2015-07-06 12:17:19 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-06 12:17:40 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-07-16 12:12:28 UTC
Arches, Thank you for your work.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 7 Manuel Rüger (RETIRED) gentoo-dev 2015-08-28 00:16:04 UTC
Vulnerable versions have been removed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:06:53 UTC
This issue was resolved and addressed in
 GLSA 201510-02 at
by GLSA coordinator Kristian Fiskerstrand (K_F).